lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <200408091729.i79HTFXn022873@turing-police.cc.vt.edu>
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: [anti-XSS]about CERT/CC:malicious_code_mitigation 

On Sat, 07 Aug 2004 06:25:00 -0000, bitlance winter said:

> #! The first function takes the negative approach.
> #! Use a list of bad characters to filter the data
> sub FilterNeg {
>     local( $fd ) = @_;
>     $fd =~ s/[\<\>\"\'\%\;\)\(\&\+]//g;
>     return( $fd ) ;
> }

*BZZT!!* Wrong.  Don't do this in production code, because...

> I have understood that bad characters are
> < > " ' % ; ) ( & +

If it turns out that * (asterisk) is a "bad character", you're screwed.

If it turns out that *any other* character is "bad", you're screwed.

The *proper* way to do the filtering is to *remove* *all* characters
not known to be good.  Something like:

$fd =~ s/[^-_ a-zA-Z0-9]//g;

Only pass alphabetic, numeric, space, hyphen, and underscore.  Add other
characters *only* if you can show they are *not* a problem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040809/642c19f3/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ